/**
* Disconnect all clients with this CN from all pools and instances
* managed by this service.
*
* @param string $commonName the CN to kill
*/
public function kill($commonName)
{
$clientsKilled = 0;
// loop over all pools
foreach (array_keys($this->instanceConfig->v('vpnPools')) as $poolNumber => $poolId) {
$poolConfig = new PoolConfig($this->instanceConfig->v('vpnPools', $poolId));
$managementIp = sprintf('127.42.%d.%d', 100 + $this->instanceConfig->v('instanceNumber'), 100 + $poolNumber);
// loop over all processes
for ($i = 0; $i < $poolConfig->v('processCount'); ++$i) {
// add all kills from this instance to poolKills
try {
// open the socket connection
$this->managementSocket->open(sprintf('tcp://%s:%d', $managementIp, 11940 + $i));
$response = $this->managementSocket->command(sprintf('kill %s', $commonName));
if (0 === mb_strpos($response[0], 'SUCCESS: ')) {
++$clientsKilled;
}
// close the socket connection
$this->managementSocket->close();
} catch (ManagementSocketException $e) {
// we log the error, but continue with the next instance
$this->logger->error(sprintf('error with socket "%s:%s", message: "%s"', $managementIp, 11940 + $i, $e->getMessage()));
}
}
}
return 0 !== $clientsKilled;
}
public function write($instanceId, InstanceConfig $instanceConfig)
{
$instanceNumber = $instanceConfig->v('instanceNumber');
foreach (array_keys($instanceConfig->v('vpnPools')) as $poolNumber => $poolId) {
$poolConfig = new PoolConfig($instanceConfig->v('vpnPools', $poolId));
$this->writePool($instanceNumber, $instanceId, $poolNumber, $poolId, $poolConfig);
}
}
private function fetchGroups($bearerToken)
{
$httpClient = new Client();
try {
return $httpClient->get($this->instanceConfig->v('groupProviders', 'VootProvider', 'apiUrl'), ['headers' => ['Authorization' => sprintf('Bearer %s', $bearerToken)]])->json();
} catch (TransferException $e) {
return [];
}
}
public function init(Service $service)
{
$service->get('/server_pools', function (Request $request, array $hookData) {
Utils::requireUser($hookData, ['vpn-admin-portal', 'vpn-user-portal']);
$responseData = [];
foreach (array_keys($this->instanceConfig->v('vpnPools')) as $poolId) {
$poolConfig = new PoolConfig($this->instanceConfig->v('vpnPools', $poolId));
$responseData[$poolId] = $poolConfig->v();
}
return new ApiResponse('server_pools', $responseData);
});
$service->get('/server_pool', function (Request $request, array $hookData) {
Utils::requireUser($hookData, ['vpn-admin-portal', 'vpn-user-portal']);
$poolId = $request->getQueryParameter('pool_id');
InputValidation::poolId($poolId);
$poolConfig = new PoolConfig($this->instanceConfig->v('vpnPools', $poolId));
return new ApiResponse('server_pool', $poolConfig->v());
});
}
private static function getForwardChain(InstanceConfig $instanceConfig, $inetFamily)
{
$forwardChain = [];
foreach (array_keys($instanceConfig->v('vpnPools')) as $poolNumber => $poolId) {
$poolConfig = new PoolConfig($instanceConfig->v('vpnPools', $poolId));
if (6 === $inetFamily && !$poolConfig->v('forward6')) {
// IPv6 forwarding was disabled
continue;
}
if (4 === $inetFamily) {
// get the IPv4 range
$srcNet = $poolConfig->v('range');
} else {
// get the IPv6 range
$srcNet = $poolConfig->v('range6');
}
$forwardChain[] = sprintf('-N vpn-%s-%s', $instanceConfig->v('instanceNumber'), $poolNumber);
$forwardChain[] = sprintf('-A FORWARD -i tun-%s-%s+ -s %s -j vpn-%s-%s', $instanceConfig->v('instanceNumber'), $poolNumber, $srcNet, $instanceConfig->v('instanceNumber'), $poolNumber);
// merge outgoing forwarding firewall rules to prevent certain
// traffic
$forwardChain = array_merge($forwardChain, self::getForwardFirewall($instanceConfig->v('instanceNumber'), $poolNumber, $poolConfig, $inetFamily));
if ($poolConfig->v('clientToClient')) {
// allow client-to-client
$forwardChain[] = sprintf('-A vpn-%s-%s -o tun-%s-%s+ -d %s -j ACCEPT', $instanceConfig->v('instanceNumber'), $poolNumber, $instanceConfig->v('instanceNumber'), $poolNumber, $srcNet);
}
if ($poolConfig->v('defaultGateway')) {
// allow traffic to all outgoing destinations
$forwardChain[] = sprintf('-A vpn-%s-%s -o %s -j ACCEPT', $instanceConfig->v('instanceNumber'), $poolNumber, $poolConfig->v('extIf'), $srcNet);
} else {
// only allow certain traffic to the external interface
foreach ($poolConfig->v('routes') as $route) {
$routeIp = new IP($route);
if ($inetFamily === $routeIp->getFamily()) {
$forwardChain[] = sprintf('-A vpn-%s-%s -o %s -d %s -j ACCEPT', $instanceConfig->v('instanceNumber'), $poolNumber, $poolConfig->v('extIf'), $route);
}
}
}
}
return $forwardChain;
}
